Security Incidents mailing list archives
RE: HTTP attack looking for /sumthin ?
From: "Esler, Joel" <EslerJ () RCERT-S ARMY MIL>
Date: Thu, 17 Oct 2002 15:30:46 -0400
Looks like a automated scan, looking for active web servers. Are the IP's sequential? How about on Source? are they sequentialized ports? -----Original Message----- From: cory [mailto:loon () loadedpenguin com] Sent: Thursday, October 17, 2002 1:56 PM To: jmaywood1975 () hushmail com; incidents () securityfocus com Subject: Re: HTTP attack looking for /sumthin ? I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) . Each time they hit they sent 5 to 6 attempts within one second, all looking in the same place. 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" (6 times in all.) All logs look identical to your post. What do we have here ? cheers, cory jmaywood1975 () hushmail com wrote:
Does anyone have any ideas what attack this might be? Below shows 4 seperate potential attacks by 3 different hosts, this is all
the activity in my logs for those three hosts, nothing more anywhere related to those three ip address.
It starts with a request for the directory /sumthin maybe tries a header exploit by sending a VERSION method? and connects ssl.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP attack looking for /sumthin ? jmaywood1975 (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)
- Re: HTTP attack looking for /sumthin ? Scott C. Kennedy (Oct 17)
- Re: HTTP attack looking for /sumthin ? H C (Oct 17)
- <Possible follow-ups>
- Re: HTTP attack looking for /sumthin ? zeno (Oct 17)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)